List and Get key operations in Azure Key Vault

Question

List and Get key operations in Azure Key Vault

We use Azure Key Vault to store the secrets of our applications.
There were always enough Get key operations to access secrets.
Are there any recommendations and practices for using the List key operation to access keys?
How much less secure is it?
The manual says that with these List rights you can get access to all keys of the Key Vault

2 answers

Your answer

Answer 1

anonymous user
Thank you for the post!

Are there any recommendations and practices for using the List key operation to access keys?
-From my understanding, there aren't any specific recommendations for using the "List key" operation to access keys, since it's up to the end user on what operation they'd like to use. For more information on Azure Key Vault best practices.

Reading over the documentation, it explains both commands as essentially doing the same thing, however, walking through each call and comparing the output, I noticed that both show the same attributes, however, when using the GET Keys API, it returned my certificate along with my Keys.

az keyvault key list:
Lists keys in the specified Vault or HSM.
Retrieves a list of the keys in the Vault or HSM as JSON Web Key structures that contain the public part of a stored key. The LIST operation is applicable to all key types, however only the base key identifier, attributes, and tags are provided in the response. Individual versions of a key are not listed in the response.

Get Keys - Get Keys:
List keys in the specified vault.
Retrieves a list of the keys in the Key Vault as JSON Web Key structures that contain the public part of a stored key. The LIST operation is applicable to all key types, however only the base key identifier, attributes, and tags are provided in the response. Individual versions of a key are not listed in the response.

How much less secure is it?
-Can you expand further on this, what do you mean by less secure?

The manual says that with these List rights you can get access to all keys of the Key Vault
-What manual are you referring to, are you able to provide a link?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Prokhorov Dmytro (Прохоров Дмитро) 41 Reputation points

2020-10-28T10:23:27.02+00:00

Thanks for the answer

In the Key operations section of the doc https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys
I read:

List: Allows a client to list all keys in a given Key Vault.

How correct and safe is it to allow the application to get all secrets from the keyvault?
Imagine that there are hundreds of microservices in which a keyvault client is implemented through the List privileges, and they all loaded a list of all keyvault secrets into their memory. Doesn't that increase the attack circle?
If I understand everything correctly, the best and safest way is to retrieve the secret value from the known secret name with Get privileges. In this case, the microservice will only know the values of the secrets it needs.
Fausto Filippi 0 Reputation points

2023-07-17T12:41:11.5566667+00:00

Sorry, I need to get an AES Key stored into my Azure Key Vault managed HSM. I have already done the following steps: +Register an application with the Microsoft identity platform +Configure an application to expose a web API +Configure a client application to access a web API Now I am trying to authenticate with OAuth2.0 but I receive an HTML page instead of the authoritazion code. How can I get the correct code? This is my link var url = "https://login.microsoftonline.com/xxx-xx-xx-xx-xxxx/oauth2/v2.0/authorize?" + "client_id=xx-x-x-x-xx" + "&response_type=code" + "&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient" + "&response_mode=query" + "&scope=api%3A%2F%2Fd3xxx%2FKey.Read.All" + "&state=12345" + "&code_challenge=xxx" + "&code_challenge_method=S256";

Answer 2

Shravani Meeriyalkar 1

Hi,

Following up to check if there is any answer on how safe is it to provide LIST permission to a client as it lists out all secret names in a key vault. Is only GET permission just enough to access the key vault to get the secret value using the particular secret names provided to the client?

Fausto Filippi 0

Sorry, I need to get an AES Key stored into my Azure Key Vault managed HSM.

I have already done the following steps:

Now I am trying to authenticate with OAuth2.0 but I receive an HTML page instead of the authoritazion code. How can I get the correct code?

This is my link

var url = "https://login.microsoftonline.com/xxx-xx-xx-xx-xxxx/oauth2/v2.0/authorize?" +
                    "client_id=xx-x-x-x-xx" +
                    "&response_type=code" +
                    "&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient" +
                    "&response_mode=query" +
                    "&scope=api%3A%2F%2Fd3xxx%2FKey.Read.All" +
                    "&state=12345" +
                    "&code_challenge=xxx" +
                    "&code_challenge_method=S256";

Share via

List and Get key operations in Azure Key Vault

2 answers

Your answer